Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2015-04-30

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:00 murrdoc ah
00:00 iggy yeah, thatch joked about being ready for the next-next version to be done with so he doesn't have to spell Be anymore
00:00 joehh Sacro: I'm building lucid packages now for 2014.7.5
00:02 bhosmer_ joined #salt
00:02 dendazen joined #salt
00:05 bootstrappm left #salt
00:05 baweaver joined #salt
00:11 tmclaugh[work] joined #salt
00:12 otter768 joined #salt
00:13 clintberry joined #salt
00:18 scbunn joined #salt
00:21 aquassaut joined #salt
00:31 scoates joined #salt
00:34 DaveQB joined #salt
00:34 solidsnack joined #salt
00:37 baweaver joined #salt
00:39 bhosmer_ joined #salt
00:54 solidsnack joined #salt
00:58 furball365 joined #salt
00:58 relicanth joined #salt
01:00 solidsnack joined #salt
01:11 hoodow joined #salt
01:12 cheus joined #salt
01:16 furball365 joined #salt
01:19 JDiPierro joined #salt
01:20 amcorreia joined #salt
01:22 bhosmer joined #salt
01:26 theo__ joined #salt
01:26 clintberry joined #salt
01:31 markm__ joined #salt
01:34 Valduare joined #salt
01:39 serodriguez joined #salt
01:40 serodriguez Hi, im trying to install mssql module but with out success some one know how to install the dependecy of it ?
01:41 serodriguez or of any module, i'm having trouble installing the pythons dependecys on the saltstack minion enviroment
01:41 bhosmer joined #salt
01:46 ITChap joined #salt
02:02 mpanetta joined #salt
02:03 mpanetta joined #salt
02:13 otter768 joined #salt
02:14 serodriguez Hi im having trouble running some modules, i don't know where and how to install the python 3 partys dependecy por the modules
02:17 Hydrosine joined #salt
02:19 mapu joined #salt
02:21 TyrfingMjolnir joined #salt
02:23 evle joined #salt
02:24 SheetiS joined #salt
02:31 iromli joined #salt
02:34 furball365 joined #salt
02:35 Furao joined #salt
02:36 CeBe1 joined #salt
02:43 radd joined #salt
02:46 michelangelo joined #salt
02:47 Hydrosine joined #salt
02:50 otter768 joined #salt
02:50 ajw0100 joined #salt
02:57 favadi joined #salt
03:02 pdayton joined #salt
03:03 rhodgin joined #salt
03:04 andrej Is there a programmatic way (inside a script that uses salt.client) to elevate privilege levels? In my script I use libnmap, which has a way to prompt me for a password to sudo the actual scan, but not the calling python program. I need to use some salt magic in the same script, but that requires me to run the whole thing as root, which breaks my anaconda / libnmap dependency, and I don't want to install anaconda for the root user.
03:05 hemebond andrej: Can you not drop your privileges?
03:05 hemebond As in, run as root, but run as a different user?
03:07 favadi joined #salt
03:09 andrej hemebond : what would that gain me? I start as my user, and this is a short running (relatively speaking) process for an internal audit. I need to portscan our internal network (needs root for nmap) and if a machine that nmap finds is also a salt-minion I need to grab a list of users & running processes off it via salt
03:10 andrej and I don't want to mess with root users account by installing anaconda
03:10 andrej or destroy the system python which salt uses by futzing with pip
03:11 * andrej is a fairly consevative sysadmin type of guy
03:11 andrej convservative
03:11 TyrfingMjolnir joined #salt
03:16 rocket joined #salt
03:17 linjan joined #salt
03:18 rocket I am setting some things in pillars, eg a role field, but they are coming from two sls files and the latest file is overwriting the first one
03:18 rocket is there a way to merge instead of overwrite?
03:18 hemebond rocket: I don't believe you can merge values, no.
03:18 hemebond Unless maybe if it's a list.
03:18 rocket ok .. bummer :/
03:23 SeeDickCode joined #salt
03:28 VR-Jack2 yeah, pillar namespace is flat, so conflicts are overwritten or merged depending on the type
03:29 StDiluted joined #salt
03:50 rhodgin joined #salt
03:56 blacked joined #salt
03:58 iggy if it's a relatively recent version lists should merge
04:05 lictor36 joined #salt
04:06 lictor36 left #salt
04:10 Singularo joined #salt
04:13 rocket in the top.sls of a pillar can you do
04:13 rocket - roles:
04:13 rocket - foo
04:13 rocket - bar
04:13 rocket ?
04:14 radd joined #salt
04:15 __number5__ rocket, gist/refheap/pastebin please
04:15 rocket __number5__: I have already abandoned the thought so I dont have a pastebin handy ..
04:17 VR-Jack2 iggy will cry if you pastebin anyways
04:19 catpig joined #salt
04:20 iggy 'P@roles:foo or P@roles:bar':\n  - match: compound
04:20 iggy iiuc
04:28 blacked joined #salt
04:44 jdesilet joined #salt
04:47 radd joined #salt
04:50 synestine1 joined #salt
04:52 carmony joined #salt
04:53 mosen joined #salt
05:01 markm_ joined #salt
05:07 solidsnack joined #salt
05:13 ajw0100 joined #salt
05:14 manytrees left #salt
05:20 stanchan joined #salt
05:21 badon joined #salt
05:23 armguy for pkgrepo.managed can keyserver be something like this pgp.mit.edu:80 does not seem clear in the docs if this is allowed if you need to go out port 80
05:24 muntazz joined #salt
05:24 muntazz chat
05:24 muntazz left #salt
05:26 desposo joined #salt
05:27 MatthewsFace joined #salt
05:27 jhauser joined #salt
05:29 Furao joined #salt
05:29 blacked joined #salt
05:35 FeatherKing joined #salt
05:39 heise joined #salt
05:40 catpigger joined #salt
05:42 mikeywaites joined #salt
05:45 otter768 joined #salt
05:46 stoogenmeyer_ joined #salt
05:54 joeto joined #salt
05:57 ktosiek joined #salt
06:07 lb1a joined #salt
06:08 AndreasLutro joined #salt
06:11 flyboy joined #salt
06:12 colttt joined #salt
06:13 stanchan_ joined #salt
06:13 notnotpe_ joined #salt
06:14 kawa2014 joined #salt
06:21 markm__ joined #salt
06:34 BretFisher joined #salt
06:35 ktosiek joined #salt
06:36 moos3 joined #salt
06:38 ndrei joined #salt
06:38 babilen joined #salt
06:40 dRiN joined #salt
06:40 KermitTheFragger joined #salt
06:42 Auroch joined #salt
06:44 blacked joined #salt
06:49 Berty_ joined #salt
06:57 krelo joined #salt
07:00 julienlavergne joined #salt
07:02 __number5__ Is there a simple way to aggregate 3 highstate run summary to send it back via slack in salt  Orchestrate Runner?
07:02 al joined #salt
07:04 Romlok joined #salt
07:04 hebz0rl joined #salt
07:05 vincehu joined #salt
07:12 jeffspeff joined #salt
07:12 FRANK_T joined #salt
07:13 OnTheRock joined #salt
07:13 msciciel joined #salt
07:13 eseyman joined #salt
07:13 desposo joined #salt
07:13 Nebraskka joined #salt
07:18 JPaul joined #salt
07:18 Furao joined #salt
07:29 o5k_ joined #salt
07:32 gdm85 joined #salt
07:32 teogop_ joined #salt
07:39 thayne joined #salt
07:40 _JZ_ joined #salt
07:44 fbergroth joined #salt
07:46 otter768 joined #salt
07:47 CeBe joined #salt
07:50 zer0def joined #salt
07:53 chiui joined #salt
07:54 c10 joined #salt
07:57 c10_ joined #salt
07:59 clmsy joined #salt
08:03 mikeywaites joined #salt
08:08 c10b10 joined #salt
08:13 Xevian joined #salt
08:14 refnode__ joined #salt
08:15 zer0def joined #salt
08:17 viderbit joined #salt
08:17 jrluis joined #salt
08:27 MaliutaLap joined #salt
08:31 ktosiek joined #salt
08:32 llb joined #salt
08:39 blacked joined #salt
08:39 OnTheRock joined #salt
08:47 che-arne joined #salt
08:48 N-Mi joined #salt
08:48 N-Mi joined #salt
08:50 djinni` joined #salt
08:55 bluenemo joined #salt
08:55 bluenemo joined #salt
08:58 julienlavergne1 joined #salt
09:01 CeBe1 joined #salt
09:06 harkx joined #salt
09:07 dendazen joined #salt
09:07 cberndt joined #salt
09:16 markm_ joined #salt
09:19 fxhp joined #salt
09:24 julienlavergne joined #salt
09:25 clmsy joined #salt
09:33 o5k joined #salt
09:37 ITChap joined #salt
09:41 giantlock joined #salt
09:41 peters-tx joined #salt
09:41 fredvd joined #salt
09:43 dynamicudpate joined #salt
09:46 ndrei joined #salt
09:47 otter768 joined #salt
09:48 riftman joined #salt
09:48 cygnetix joined #salt
09:49 xnaveira hi, Im trying to schedule periodic runs of the hihstates in the minions via pillar, I added the following pillar but it doesn't seem to work, how could I check that this is in fact correct?
09:49 xnaveira schedule:
09:49 xnaveira { 'highstate': { 'function': 'state.highstate', 'minutes': '5' } }
09:51 ThomasJ Using the same here. You can check that the pillar is present on the minion by querying it pillar.get schedule
09:52 ThomasJ If the pillar is missing from the minions, try forcing a refresh using salt '*' saltutil.refresh_pillar
09:54 xnaveira ThomasJ: yes, I get the pillar in the minions but it doesn't seem to work, how can i check that the syntax is correct etc
09:56 ThomasJ xnaveira: documentation usually :)  but here is the one I am using http://pastebin.com/yvR0sN5h
09:57 xnaveira ok ty ThomasJ !
09:58 gdm85 is it possible to specify a pillar variable like as "config.key: xxxxxx" ?
09:58 gdm85 instead of the usual dictionary format
09:58 julienlavergne1 joined #salt
10:12 wnkz joined #salt
10:17 tuor joined #salt
10:18 xnaveira Still no luck ThomasJ, I tested putting the ditcionary in the minion config instead and it worked, seems that I hit this issue https://github.com/saltstack/salt/issues/10621
10:20 N-Mi joined #salt
10:23 riftman joined #salt
10:29 Guest70 joined #salt
10:31 bluenemo joined #salt
10:41 keimlink joined #salt
10:41 mike25de hi guys ... i have a state which includes 10 other states (each of these is just creating a file and a symlink). After all these states are done creating files ... i want to restart a service. I know i can add a watch statement... but i want to restart the service once after all the included states have done creating files.  IS that possible? Thanks in advance
10:42 giantlock joined #salt
10:45 BuGless joined #salt
10:46 clemensb joined #salt
10:46 matthew-parlette joined #salt
10:48 BuGless I'm running Debian testing, and I notice that for a minion, the memory footprint seems a lot larger than what would be considered modest.  DRS: 302MB, RSS: 42MB.  Is that to be expected?  Or are there memory leaks in the minion/python?
10:48 clmsy joined #salt
10:54 toastedpenguin joined #salt
10:58 bhosmer joined #salt
11:17 zz_ashmckenzie joined #salt
11:20 elfixit joined #salt
11:24 joehh BuGless: are you running 2014.1.13 (ie default for debian testing) or something else from debian.saltstack.com
11:24 joehh ?
11:24 debian112 joined #salt
11:25 joehh I'm not aware of any memory leaks, but we have a few problematic minions on some machines with memory heavy apps
11:25 joehh I suspect the version is 2014.1.13 for them
11:26 Romlok fwiw, my numbers are similar on Debian stable and 2014.7.5
11:26 Romlok err, old-stable now, I guess
11:26 Romlok ie; wheezy
11:26 joehh how do you get DRS?
11:27 Romlok ps vax | grep -e salt -e PID
11:27 Romlok is what I used
11:30 evle1 joined #salt
11:33 BuGless joehh: I'm running vanilla testing and saltstack that comes with it: 2014.1.13+ds-3
11:33 joehh That is roughly what I see for a debian wheezy machine running the same release
11:33 joehh PID TTY      STAT   TIME  MAJFL   TRS   DRS   RSS %MEM COMMAND
11:33 joehh 2663 ?        Sl    47:33     25  2392 301439 34312  3.3 /usr/bin/python /usr/bin/salt-minion -d
11:33 ndrei joined #salt
11:34 BuGless Well, the numbers sound/look ridiculously high
11:34 BuGless 300MB of VM and 34MB of RAM for a minion that is idle?
11:35 joehh I don't think it is a memory leak - a restart gives very similar values almost immeadiately
11:35 AndreasLutro my desktop notification manager uses more VM than that, not sure it matters?
11:35 mage_ a "highstate" means executing everything in top.sls ?
11:36 joehh PID TTY      STAT   TIME  MAJFL   TRS   DRS   RSS %MEM COMMAND
11:36 joehh 10476 ?        Sl     0:00      0  2392 302807 34156  3.3 /usr/bin/python /usr/bin/salt-minion -d
11:36 AndreasLutro mage_: yes
11:36 mage_ thanks
11:36 ThomasJ root     21460  0.0  1.9 547348 79956 ?        Ssl  Apr29   1:31 /usr/bin/python /usr/bin/salt-minion
11:36 BuGless It only doesn't matter if it's memory mapped files/libs
11:37 BuGless Using 34MB of real RAM is close to a crime though for an otherwise idle daemon
11:38 ThomasJ BuGless: Idle or not it still needs to load the same code/libraries/etc
11:39 BuGless Yes, but my question would then be, what on earth is it all loading, and why isn't this done smarter than this?
11:39 viq joined #salt
11:40 AndreasLutro BuGless: my 1000 line python program which is also a long running process uses 24mb, I don't think it's a big deal
11:40 Andre-B joined #salt
11:40 ThomasJ If you fire up htop, filter down to salt-minion, select it and hit l you will see everything it is pulling in as far as libraries goes
11:41 ThomasJ Or just lsof directly
11:41 c10b10_ joined #salt
11:42 BuGless AndresLutro: I can even create a 5 line python program that uses 24MB, so that is no excuse.  34MB for a daemon that is mostly idle borders on incompetence.
11:42 AndreasLutro ok, if you say so
11:43 pf_moore joined #salt
11:48 tmclaugh[work] joined #salt
11:48 otter768 joined #salt
11:53 c10b10_ i'm getting this weird error: https://www.dropbox.com/s/l8b0pj4p2t47q4x/Screenshot%202015-04-30%2014.53.07.png?dl=0
11:53 c10b10_ the directory exists
11:54 JDiPierro joined #salt
11:54 c10 any ideas why?
11:55 amcorreia joined #salt
11:55 AndreasLutro c10: you need at least 1 state with an ID that starts with /etc/nginx/sites-enabled/ for that to work, I thinm
11:55 AndreasLutro think*
11:56 Berty_ joined #salt
11:56 c10 hm, i don't think that's right. fyi, the state looks like this: https://www.dropbox.com/s/v5aco5ezes8ljgh/Screenshot%202015-04-30%2014.56.20.png?dl=0
11:57 jonatas_oliveira joined #salt
11:57 Romlok for watch, I think salt only knows about things that are in state files
11:58 Romlok so if you don't have salt manage any files in that directory, it's not going to find anything to watch
11:58 c10 what do you mean, things that are in state files?
11:59 Romlok like defined in an sls file using file.managed, file.symlink, etc.
11:59 AndreasLutro personally I use watch_in in each state that manages the site-enabled symlink, instead of the watch glob
12:00 c10 AndreasLutro: That seems like a good idea
12:01 c10 still, i find it weird that it doesn't work. I'm doing what is stated here as the solution: http://stackoverflow.com/questions/23716009/saltstack-in-a-watch-statement-how-do-i-specify-a-directory-where-all-files-sh
12:02 c10 AndreasLutro: What would the watch_in look like?
12:03 bluenemo joined #salt
12:03 slav0nic joined #salt
12:09 AndreasLutro c10: https://bpaste.net/show/480d0c157b6f
12:09 AndreasLutro not sure if those arguments are correct, just took it off the top of my head
12:09 c10 got it, ty
12:10 c10 was looking for the "service: nginx" part
12:13 tmclaugh[work] joined #salt
12:14 viq joined #salt
12:19 aquassaut joined #salt
12:23 coreping joined #salt
12:25 llb joined #salt
12:26 llb left #salt
12:26 llb255 joined #salt
12:33 signull joined #salt
12:33 mapu joined #salt
12:34 lichtamberg_ joined #salt
12:34 lichtamberg_ hi
12:35 lichtamberg_ can someone tell me which user is choosen for the ssh connection by default, when i provision a vagrant machine via master/client?
12:35 lichtamberg_ i get this error, and i wonder which user i should be
12:35 lichtamberg_ Unable to create '/home/vagrant/.rbenv/.git/index.lock': Permission denied
12:36 AndreasLutro lichtamberg_: whatever user you start the master/minion daemons as - also there's no ssh connection in a master/minion setup
12:36 babilen lichtamberg_: I'd ask #vagrant, salt has little to do with that. There simply is no SSH connection at all.
12:36 dendazen joined #salt
12:36 lichtamberg_ ah ok
12:37 lichtamberg_ thx!
12:37 babilen That being said: Could you show us your Vagrantfile ? (/me is in #vagrant too and think that you should rather ask there though)
12:37 babilen Use a pastebin such as http://refheap.com and remove sensitive data
12:38 AndreasLutro yeah - on second thought that doesn't look salt related
12:38 lichtamberg_ https://gist.github.com/lichtamberg/6ec9b1005ec8820be3cb
12:38 lichtamberg_ thx!
12:46 eseyman joined #salt
12:49 iMil joined #salt
12:49 iMil joined #salt
12:50 jerematic joined #salt
12:51 dh joined #salt
12:52 rypeck joined #salt
12:53 imil_ joined #salt
12:54 JDiPierro joined #salt
12:55 bhosmer_ joined #salt
12:58 gdm85 [ERROR ] An un-handled exception was caught by salt's global exception handler:
12:58 gdm85 TypeError: list indices must be integers, not str
12:58 gdm85 *ouch*
12:59 subsignal joined #salt
13:00 Guest15 joined #salt
13:00 ntropy basic question - if you have /srv/pillar and /srv/salt, how to you version control these?
13:00 ntropy you have 2 repositories?
13:01 Romlok ntropy: personally, I have them both in one repository stored elsewhere (under /opt/), and symlink /srv/pillar and /srv/salt
13:02 jcockhren ntropy: you don't version control those directories. you leverage salt's gitfs feature and have salt pull states and pillars from a git repo
13:02 jcockhren s/a//
13:04 murrdoc joined #salt
13:04 jdesilet joined #salt
13:04 gdm85 jcockhren: you have passwords and such also in git?
13:05 mpanetta joined #salt
13:05 ntropy jcockhren: yes, thats a nice setup and ill end up doing that pretty soon, first i need to organise my states & pillar better though
13:06 murrdoc if you are writing a custom state file, use state.single to call other state functions
13:06 ntropy Romlok: i like this idea for the time being, thanks
13:06 jcockhren gdm85: no. use: http://docs.saltstack.com/en/latest/ref/renderers/all/salt.renderers.gpg.html#module-salt.renderers.gpg
13:06 mpanetta joined #salt
13:07 rhodgin joined #salt
13:07 jcockhren gdm85: encrypt sensitive pillar values. Have them decrypted then sent to the proper minions.
13:08 FeatherKing joined #salt
13:08 jcockhren gdm85: the render can work in one of 2 ways: 1. master decrypts then sends to minion OR 2. master sends encrypted data to be decrypted by receiving minion
13:08 jcockhren renderer*
13:09 gdm85 well..I am somewhat surprised we have to do this still in 2015 :s
13:09 ntropy gdm85: what do you mean by that?
13:09 jcockhren gdm85: you mean encrypt data?
13:09 jcockhren lol
13:09 gdm85 I mean, gpg is nice..but far from elegant. you are still storing the key in git, although encrypted.
13:10 jcockhren gdm85: the key? what key?
13:10 gdm85 jcockhren: the password/key/secret that you encrypted.
13:11 jcockhren ah.
13:11 jcockhren why is that an issue?
13:11 jcockhren asymmetric encryption doesn't work?
13:11 [1]Dom joined #salt
13:11 jcockhren also... see there are many external pillars
13:11 jcockhren so not "just" gitfs
13:12 rhodgin joined #salt
13:12 gdm85 jcockhren: the problem is that you're still mixing up source/instructions with encrypted material. if the gpg private key is compromised you have a hell of a job to track what was compromised.
13:12 gdm85 of course you can put all your encrypted material in another place..
13:13 Tecnico1931 joined #salt
13:13 ThomasJ gdm85: If the private key is compromised, the salt master is compromised, and thus any data it has access to, encrypted or not
13:13 jcockhren I mean... you use ssh right?
13:13 jcockhren private keys sit on your machine
13:14 gdm85 ThomasJ that's not the problem. I am not looking at one salt master. I am talking in general about the policy of properly keeping secure material. if you scatter it around carelessly with source code..it's a bad practice.
13:15 gdm85 you can't easily track all users/hosts that contain it, for example.
13:15 gdm85 (I mean once it has been compromised)
13:15 ThomasJ I'm not sure where source code comes into play here
13:15 ntropy gdm85: if you use gpg renderer with method #1 - master decrypts then sends to minion, the private key only needs to be on salt master
13:16 gdm85 by source code I mean salt templates and pillar definitions (without the secrets part)
13:16 fusionx86 joined #salt
13:16 gdm85 ntropy: yes but if you use a VCS to store the encrypted material together with templates..
13:16 ThomasJ In my case, the encrypted material exists in one location, the given pillar source I use, which is in itself a secure location/system. If someone gains access to it, nothing to be concerned about. It is ecnrypted.
13:17 ThomasJ The encrypted data can only be decrypted using the private key which resides on the salt master
13:17 ntropy gdm85: you dont mix encrypted material together with templates, encrypted material is in pillar, templates are in states
13:17 ThomasJ If someone gains access to the private key, they have access to the salt master, at which point it would be irrelevant whether it was encrypted in the first place or not
13:17 gdm85 ntropy: yes, but some people version also the pillars
13:18 ThomasJ gdm85: And you should version the pillars
13:18 ThomasJ Otherwise it becomes impossible to track changes when you reach a certain size or have n people working on pillars
13:18 gdm85 ThomasJ: I am saying that if you version your pillars with encrypted passwords, it's a bad practice IMO.
13:18 gdm85 not as bad as versioning passwords in clear..but still.
13:18 ThomasJ gdm85: So you should version them without encryption?
13:19 gdm85 ThomasJ: no. they should not be in VCS. full stop.
13:19 jcockhren I think I get what gdm85 is trying to get at
13:19 ThomasJ gdm85: Really? So they should sit in a file on a folder structure on the salt master, but not sit in a folder structure where it is coupled with metadata that keeps track of changes?
13:19 racooper joined #salt
13:19 jcockhren are you referring to systems that prevent previously used passwords
13:20 gdm85 ThomasJ: you see? that's why I said that I am surprised we still do it this way in 2015! :)
13:20 gdm85 let's be clear, probably I'd just use the renderer with gpg, but..I am saying that it's a hack, could be a tad better :)
13:20 jcockhren gdm85: example?
13:21 ThomasJ gdm85: Well, if you figure out a way of storing data in a way that prevents people from reading it without involving encryption, while still letting a priviledged user/process read it, please let us know
13:21 gdm85 jcockhren: previously used passwords is one case. but if you have 100 developers that checked out the encrypted version, and the gpg private key is compromised..you suddenly have 100 potential hosts that could leak it. see what I mean? instead if the "secret" is injected into the salt minion only when needed, the scenario is a bit less complex to audit after an incident.
13:22 gdm85 jcockhren ThomasJ there have been attempts, involving encrypted git and similar.
13:22 gdm85 they still look like hacks..but I think there's hope for future :)
13:22 ThomasJ and encryption requires a key, which is exactly what the gpg renderer does
13:23 gdm85 ThomasJ: my point is to not mix them up, because they are *NOT* of the same sensitivity level.
13:23 gdm85 you can still have separate repos for encrypted pillar data
13:23 XenophonF left #salt
13:23 gdm85 that'd be a good start.
13:23 jcockhren gdm85: 1. there should be an in internal ACL for developers to access states and pillars
13:24 ThomasJ You can put the pillar data in as many repos as you want, it won't do much good in any case, as in the event of the key being leaked, it is because of someone accessing the salt master, at which point they have _FULL_ access to any pillar source
13:24 jcockhren 2. you can have multiple git repos for both states and pillars
13:25 jcockhren 3. roll your creds
13:25 jcockhren 4. automate as much as you can of #3
13:25 jcockhren #4 is hard
13:26 gdm85 ThomasJ: it's still a tad better. imagine you're using git and you disable the cache on the master (if master caches git-accessed resources, I assume yes), then you can revoke access and you can check last time of access. this allows to better track your secret stuff..
13:27 gdm85 jcockhren: exactly what I am saying, there's no advanced authorization in our VCS/configuration management systems :)
13:27 gdm85 but..it was just brainstorming, no flames :P thanks for discussing though.
13:28 jcockhren I understand. I don't think VCS and CM systems should solve that problem
13:28 hasues joined #salt
13:29 ThomasJ Access to the encrypted data is really irrelevant. It's encrypted and useless to anyone without the private key which should be securely stored on the salt master which should be hardened. Which means that to actually do anything with the data you need the private key, thus access to the saltmaster. And the second you have access to the salt master you have access to everything the salt master has access to,
13:29 ThomasJ including pillars containing the sensitive data, encrypted or not, cached or not
13:29 dendazen when i use “from path import blah with context” is it relative path to what?
13:29 jcockhren usually these tools leverage external auth in some manner
13:30 jcockhren in the case of running modules to access data, you have an ACL setting on master to restruct which users can run what commands
13:31 AndreasLutro dendazen: your file_roots
13:31 dendazen Thanks.
13:31 jcockhren even then. what if one of the "chosen" devs leak encrypted data and some attacker already compromised master?
13:32 jcockhren that is *should* trigger somewhat of a DR scenario
13:32 jcockhren if that does not, then it's a people problem, not a tooling problem
13:32 ThomasJ But devs really should not have access to the saltmaster though
13:33 * murrdoc co signs ThomasJ comment
13:33 jcockhren but they may have permission to call modules that retrieves data
13:33 yaryarrr joined #salt
13:33 pdayton joined #salt
13:33 murrdoc salt-api for the win
13:34 jcockhren I agree ThomasJ, but I want to push this far enough to show it's not a tooling issue
13:34 ThomasJ *nods*
13:34 ksj is there any easier way to check the built in docs than running e.g. 'salt \* sys.state_doc pkg'? This runs against all minions, so I tend to target it just to one for the sake of efficiency, but it still seems backwards. would be great if there were a salt-doc command that searched both state and execution modules
13:34 echo joined #salt
13:34 ksj and piped it into a pager
13:34 jcockhren in the case of leaked creds, you should roughly know the time, t, to roll them.
13:35 jcockhren Only involving people at purposeful manual gates reduces the chances of leakage
13:36 perfectsine joined #salt
13:37 gdm85 ThomasJ: there is no single master. there can be more masters..more keys also. I was talking about the natural "scattering" that happens when you don't clearly separate them, and also how pointless is to track access (and where is what) if you don't have them separated.
13:38 gdm85 an encrypted secret is still a secret, compared to a gibberish base64 chunk of /dev/urandom. Because when the key is compromised, the former *is* something while the latter is still gibberish :P
13:38 jcockhren new systems in you infra (like a new master) should be either purposely manual or have your infra be able to whip new things up with new keys in an automated way
13:39 jcockhren roll your creds, then it's no longer a key
13:40 ThomasJ gdm85: I see your point. But at the same time, I disagree somewhat as access to the encrypted data itself is only as secure as your key. And when the key is stored at the point(s) where the data is decrypted, or accessed by the master(s), everything else really becomes irrelevant. Also keeping in mind of course that the data you are protecting will in more or less all cases be stored in plaintext or hashed on
13:40 ThomasJ the target minion
13:40 gdm85 jcockhren: yes - in theory these things should be done periodically, so that they get tested :)
13:41 gdm85 ThomasJ: ok, but you can have auditing systems on the minion *and* on the master, to make sure you know when/how certain files are accessed (I am just pushing it on the theoretical side here..)
13:41 * ThomasJ nods
13:41 ThomasJ You should have auditing systems on all levels tbh
13:41 ThomasJ We do at least
13:41 ntropy ksj: you can do salt-call sys.state_doc pkg, not sure if thats easier :)
13:41 jcockhren gdm85: yeah. like I said, that's not the problem VCS and CM should solve. that's IDS
13:42 gdm85 yes, but then it becomes crucial to silence the noise - as such systems are as good as they're focused on the real important bits.
13:42 tmclaugh[work] joined #salt
13:42 gdm85 jcockhren: uhm..but you think it's easy/seamless to integrate them with existing tools?
13:43 ksj ntropy: not really unfortunately, because I'm not logged into the minions, I'm running the command on the master so salt-call fails
13:43 jcockhren gdm85: yes. want an example?
13:43 gdm85 jcockhren: shoot it :)
13:44 ntropy ksj: then i guess you can install salt packages on a box not connected to your master and run salt-call --local? :)
13:44 jcockhren gdm85: most IDS' out there send a trigger when something is modified that shouldn't have been (since last check) and that isn't marked as safe
13:44 jcockhren usually an email right?
13:44 gdm85 let's say a "signal", to be generic.
13:44 jcockhren the email is well formatted on purpose
13:45 hasues left #salt
13:45 jcockhren ok signal
13:45 jcockhren so you know when there something that needs to be investigated
13:45 jcockhren investigated by whom? a person
13:46 jcockhren also, there are cases where before investigated starts, automated steps need to happen
13:47 jcockhren we have at our disposal, message queues and salt-api (and reactors if you like)
13:48 jcockhren beyond a given threshold, the processing of issues in the queue should trigger events through the API
13:48 xintron joined #salt
13:48 jcockhren the system triggering the salt-api is ACL to only do the needful
13:49 otter768 joined #salt
13:49 jcockhren that's only one part
13:49 xintron What is the easiest way to add a user to a group? pw_user.chgroups worked fine (the module) but the user state only checks if it exsits or not (and in that case adds groups etc)
13:49 xintron In my case I only want to append a group to a specific user (that I know exists based on previous required state)
13:49 jcockhren we know the regex for almost all known log message formatts
13:50 jcockhren for monitoring, your person should have quick access to the right data in the corresponding event
13:50 gdm85 jcockhren: ok, I get what you mean there. I was pushing forward the principle of "no passwords stored in VCS", to see how one follows the "golden path" when VCS will also store production pillar data.
13:50 jcockhren (this should already be in place)
13:51 StDiluted joined #salt
13:52 ntropy xintron: does optional_groups parameter in salt.states.user.present do what you want?
13:53 xintron ntropy, It kinda does. I did decide to go the other way instead though: group.present and then use addusers to add accordingly
13:53 ntropy cool :)
13:54 xintron It solved the second issue: removing a user from a group (and only that group) :)
13:54 xintron Where optional_groups/groups did not help
13:54 jcockhren gdm85: I think that was referring to 'clear' passwords
13:54 jcockhren b/c people store 'clear' passwords in VCS
13:54 gdm85 jcockhren: yes. but I disagree that encrypting them is as good as not having them there in first place.
13:55 gdm85 it's not because of being extremely pedant, it's really different from security management perspective.
13:56 jcockhren meh right? you log into your bank. I betcha they tracking changes to their DB
13:56 dyasny joined #salt
13:57 jcockhren in some countries, you login with a RSA key. 1 min refresh time
13:57 jcockhren multi-factor
13:57 jcockhren and systems (not just people) can also, auth to other systems in a mutli-factor way.
13:58 jcockhren DB are version controlled and the data is duplicated
13:58 timoguin joined #salt
13:58 jcockhren redunancy is necessary
13:58 gdm85 that's not the right example. you don't checkout all the data - encrypted - of a bank's customers at once when accessing your bank account.
13:59 jcockhren but the bank has the encryted data duplicated for redundancy
14:00 jcockhren which was your original issue. having multiple copies of secure data around
14:00 gdm85 the issue I proposed is that it shouldn't be where I don't want it to be, but I guess we can limit it to the domain of VCSes (and their implementation of ACLs)
14:01 gdm85 (given that one disables caches here and there :P)
14:02 jcockhren ok cool. so you have pillar/data targeting, developers are purposely granted access. they work on company owned machines that mandate encrypted harddrives
14:03 jcockhren they log into those machines with AD or LDAP
14:04 jcockhren I guess that doesn't stop them from placing in a flash drive, but that's a people problem
14:04 drawsmcgraw joined #salt
14:05 gdm85 jcockhren: if you don't have all your encrypted passwords on all developers' boxes, that's already enough. at least in case of a leak you know the graph of leakage
14:05 gdm85 just a bit of depth :)
14:05 gdm85 I mean, having "depth" instead of a flat scenario where everybody has everything. because that's unfortunately what I see most times..
14:06 gdm85 questions like "why does the marketing guy have the root password of production server X?" have not been uncommon in my experience :)
14:10 andrew_v joined #salt
14:12 rojem joined #salt
14:13 rojem_ joined #salt
14:17 iggy simple solution... fix it
14:20 Sketch my favorite was when everyone in the company logged into the samba fileserver as root ;)
14:20 sandah joined #salt
14:20 StDiluted joined #salt
14:20 jcockhren iggy++
14:21 jcockhren gdm85: I mean. in the most extreme cases of carelessness, no amount of tooling can fixing that
14:21 jcockhren that's a people problem
14:23 jcockhren all security methodology is pointless if it isn't enforced/everyone agrees to do it
14:23 jcockhren the tooling won't matter
14:24 jcockhren you can change company culture though new tools
14:24 jcockhren I promise
14:24 jcockhren ;)
14:24 jcockhren through*
14:24 iggy someone should write up a doc on salt security best practices
14:25 ek6 jcockhren: sure but whips are frowned upon.....thought about a couple cue balls in a sock
14:25 ek6 iggy: problem is where do you draw the paranoia line
14:25 iggy whips frowned upon? that's a shame
14:26 ek6 i agree.... its hard to say 'the beatings will continue until morale improves' WITHOUT the whip in your hand
14:26 ek6 its just so many words
14:26 SEJeff joined #salt
14:27 * iggy --> work
14:28 VR-Jack2 Perhaps I missed it, but salt security is only at the module level and not the parameter level?
14:29 Guest15 joined #salt
14:29 rhodgin joined #salt
14:30 CedNantes joined #salt
14:30 CedNantes hi there ! Anyone here as ever tested saltpad ?
14:31 VR-Jack2 briefly looked at it. It's definitely not foreman
14:33 CedNantes i wanted to test it but i get http 500 error and salt master logs told me : Authentication failure of type "eauth" occurred.
14:34 gdm85 jcockhren: so you propose to make a congress, and implement security only when everybody agrees? I like your socialism! :P to me, it's proportional to how easy are tools to use. I don't even blame the users when the UI of tools are unusable, or when the wrong tools were pushed through.
14:34 slav0nic joined #salt
14:34 gdm85 one thing that I hope will increasingly be understood is that if you invest money in the tools to make them secure *and* usable, it will happen. not magically, like putting all the pieces of a 747 on a lane and pretending a plane to be assembled by wind. :)
14:35 jcockhren gdm85: this is normal. When you agree to be an employee somewhere, you're agreeing to uphold the rules bro.
14:35 ndrei joined #salt
14:35 jcockhren gdm85: there should always be space to R&D better tools for assist. If that spoace doesn't exist, it's a culture problem
14:36 gdm85 jcockhren: what I am saying it's not only by methodology you'll get there e.g. a secure operations way of working. sure, it's culture also, but can't blame users if things are too hard to use..they'll use workarounds. it's how humans work.
14:37 Tyrm joined #salt
14:37 jcockhren gdm85: there's a line. if the "workaround" is for people logging into a production server with the root account, I mean.... it's your job (ops) to make it "easy" for people not to do that.
14:37 jcockhren that not only means tools, but training and education as well
14:37 clintberry joined #salt
14:38 jcockhren you have to spend time with people for them to understand.
14:38 mage_ in a state file with a file.managed, how could I execute a command if either the file changed or is new ? (in my case it's a custom pkgng repos and I need to run pkg update in such case)
14:38 kaptk2 joined #salt
14:39 fusionx8_ joined #salt
14:39 gdm85 jcockhren: yeah, I agre
14:39 gdm85 *agree
14:40 xintron If I have a nested grain: foo:bar = [], how can I append to this using the grains module?
14:40 xintron I see  get that supports colon delimited fetches but is there a setter to go with this?
14:40 mage_ on_changes: pkgng.update_packaging_site: - name: "myrepo" ??
14:40 sandah I have a an entry which goes pkg.installed: - sources: specifiying a local rpm, which works for the install. But when I update the entry mentioning the local rpm it doesn't upgrade it. Is there another entry I need to add?
14:41 NV joined #salt
14:41 manfred sandah:  it won't update it, because it is already installed
14:42 ccarney_ROCC joined #salt
14:43 VR-Jack2 mage_: cmd.wait with a watch usually works.
14:43 manfred sandah:  is the name the same?
14:43 smcquay joined #salt
14:43 ccarney_ROCC left #salt
14:43 Guest40581 joined #salt
14:43 sandah The package name is the same with a newer version number.
14:43 manfred sandah:  i bet sources: just checks the pkgname, and not the version number before installing.  Would be good to check the salt-call -l debug information
14:44 manfred sandah: i bet that sources just checks the pkgname in the rpm -qi or dpkg —something data
14:44 slav0nic joined #salt
14:44 manfred sandah:  you might try pkg.latest, with the same settings?
14:44 sandah manfred: yeah the non-debug return is      Comment: All specified packages are already installed.
14:45 sandah I'll try that.
14:45 manfred yeah, i bet it just checks name.
14:45 manfred .latest might also check version
14:45 sandah is pkg.latest in 14.7?
14:45 mage_ VR-Jack2 thx
14:46 sandah Function pkg.latest is not available
14:46 Sacro sandah: 14.7 isn't a version
14:46 murrdoc 2014.7
14:46 fusionx86 joined #salt
14:46 sandah Yeah, that's what I meant.
14:46 murrdoc sandah:  u can back port it in
14:46 murrdoc make a file in _states/my_pkg.py (heh)
14:46 murrdoc and put the function in there
14:47 murrdoc it would be easy
14:47 murrdoc are u on ubuntu ?
14:48 sandah So if I change the statefile to .latest instead install would it install it as well?
14:48 sandah centos 6
14:48 Brew joined #salt
14:50 murrdoc pkg.latest is in 2014.7 and will install if the package if it exists
14:53 solidsnack joined #salt
14:57 JDiPierro joined #salt
14:58 sandah I have "salt --version - salt 2014.7.5 (Helium)", but get "sudo salt-call pkg.latest ganglia - Function pkg.latest is not available" This is just a test system I can tweak the output for now. I was more curious if I was "doing it wrong"
14:59 iggy pkg.latest is a state, not a module
14:59 sandah Ahh my error.
14:59 iggy if you want a module, pkg.install will always install the latest version available
14:59 VR-Jack2 nano:
14:59 VR-Jack2 pkg.latest
15:00 asaladin joined #salt
15:00 rm_jorge joined #salt
15:01 jonatas_oliveira joined #salt
15:02 sandah http://pastebin.com/cGNB0edz
15:03 gladiatr joined #salt
15:03 giantlock joined #salt
15:04 sandah I updated the sources to new version numbers and I thought that would upgrade the packages. So I should add another entry under pkg.install with pkg.latest and the two package names?
15:04 UtahDave joined #salt
15:04 conan_the_destro joined #salt
15:04 clintberry joined #salt
15:04 schristensen joined #salt
15:06 VR-Jack2 manual rpm installs are different than package management.
15:07 CeBe1 joined #salt
15:08 wendall911 joined #salt
15:11 scbunn joined #salt
15:11 VR-Jack2 sandah: did you try normalize: false?
15:13 SEJeff VR-Jack2, normalize: false is only useful if the package arch is literally part of the package name
15:13 SEJeff VR-Jack2, which generally indicates a horrible packager. I would know, I added that feature for the gpfs packages I needed to install with salt :)
15:14 VR-Jack2 SEJeff: ahh, thought it might effect his sources too
15:14 mike25de hey guys - salt-ssh doesn't work with compound matches... i tried: salt-ssh -C 'I@environment:office' test.ping  should it work?
15:14 SEJeff VR-Jack2, the way to tell if normalize: true will help you: rpm -q --qf '%{NAME}\n' $package-name
15:15 SEJeff VR-Jack2, if it has x86_64, i386, or i686 in the name that command outputs (or something similar) normalize: false is necessary for salt to install it
15:15 SEJeff otherwise, nope :)
15:15 VR-Jack2 cool. thanks
15:15 SEJeff VR-Jack2, Feel free to submit a pull request for the docs on that if you want
15:16 VR-Jack2 I'm just trying to find an option that might assist him. pkg_verify would be greedy, but probably would work
15:16 Auroch joined #salt
15:17 jschroeder joined #salt
15:17 SEJeff VR-Jack2, his best bet is likely cmd.run rpm -Uvh ...
15:17 VR-Jack2 yeah
15:17 VR-Jack2 or build a local repo
15:17 SEJeff But why not just throw that package into a "repo" on a webserver
15:17 SEJeff bingo
15:17 * VR-Jack2 likes local repos
15:17 SEJeff much better approach overall
15:18 iggy aptly-formula ftw
15:19 iggy I mean unless you're using rpm's... then it's not that useful
15:19 murrdoc why doesnt pkg.latest work ?
15:19 murrdoc it works for i
15:19 VR-Jack2 source is specified
15:20 VR-Jack2 it doesn't appear to realize it needs to do an rpm -U
15:20 sandah Yeah we use local repos at work, but for my needs it was easier just to call the package directly. I will look into it.
15:20 speedlight joined #salt
15:20 speedlight joined #salt
15:20 iggy it doesn't take - sources:
15:20 murrdoc doesnt refresh: True account for rpm -U
15:21 murrdoc also u can 'requisite' a pkg.repo for a source
15:21 iggy upgrade to 2015.2 and use only_upgrade: True
15:21 murrdoc only upgrade is apt only
15:21 sdm24 joined #salt
15:22 iggy upgrade to debian and 2015.2 and use only_upgrade: True
15:22 mike25de hey guys - salt-ssh doesn't work with compound matches... i tried: salt-ssh -C 'I@environment:office' test.ping  should it work?
15:22 VR-Jack2 refresh: True might work. it's not documented for it, though
15:23 VR-Jack2 not that the ref manual is always accurate. :)
15:24 murrdoc iggy:  has reached max fuckit and its only thursday
15:24 iggy I'm certainly in a mood
15:24 manfred is it because of baltimore?
15:25 murrdoc refresh True will work, also to quote my russian bretheren, documentation is code, code is documentation, code is life
15:25 manfred it is worth noting that usually **kwargs is passed from the state module to the execution module, so most of the things you can do in the execution module you can pass from the state.  And almost none of those are documented
15:25 SEJeff RTFS
15:25 murrdoc yes sir
15:26 murrdoc imho implied
15:26 iggy mike25de: I'm not a salt-ssh user, but it wouldn't surprise me if that was expected not to work
15:26 murrdoc also the archive.tar module stinks to high hell
15:26 murrdoc may the 7 gods pardon those who stank it up
15:26 iggy the archive state module also is fairly terribad
15:27 mike25de iggy:  thanks man
15:27 murrdoc svn stinks too
15:27 murrdoc but i am happy that i know about state.single now
15:27 murrdoc so life is better overall
15:28 VSpike I'm trying to get started with the mine. I've added this https://bpaste.net/show/3f94872969f6 to the pillar universally. I've done sudo salt '*' -b 20 mine.update and most hosts returned true...
15:28 murrdoc gonna have to step it up like Gareth and own a module
15:28 * murrdoc adds to todo list
15:28 VSpike I've then tried various things like salt '*' mine.get '*' network.interfaces and salt 'aws-dev-p-db-1' mine.get '*' status.uptime and so on, but I can never get anything back
15:28 VSpike Am I making a schoolboy error somewhere?
15:29 manfred did you setup your mine_functions too tell the minion what data to put into the mine?
15:29 iggy VSpike: I'm pretty sure mine.update A. is totally broken OR B. doesn't do what everybody seems to think it does
15:29 manfred VSpike:  http://docs.saltstack.com/en/latest/topics/mine/#mine-functions
15:30 iggy manfred: that's what the bpaste was
15:30 manfred oh, missed that
15:30 StDiluted joined #salt
15:30 iggy VSpike: unless 1 hour is enough updating, you'll probably also want to set mine_interval in all your minion config files
15:31 VSpike iggy: ah, ok. What's a sensible lower limit?
15:31 iggy depends what you're using it for
15:31 iggy ours is 5 mins
15:32 manfred i am in the middle of remembering trigonometry and calculus as part of my devtests for my interview with a development team here, so not paying 100% attention…
15:32 manfred dumb circles
15:32 VSpike It's not clear (to me) from http://docs.saltstack.com/en/latest/topics/mine/#mine-interval whether mine_interval goes in the pillar or the salt master config
15:33 VSpike Oh, or minion config
15:33 iggy "set mine_interval in all your minion config files"
15:34 debian112 joined #salt
15:35 VSpike How do you control your minion config without doing it manually? I've avoided having to do it so far.
15:36 iggy salt-formula
15:37 iggy but it should be easy enough to just /etc/salt/minion.d/55-mine_interval.conf:\n  file.managed:\n    - contents: mine_interval: 5
15:38 ndrei joined #salt
15:39 murrdoc mine.conf
15:39 iggy or that
15:42 zions joined #salt
15:42 VSpike Where does the salt.minion state run? On the minion? I don't get it :/
15:42 VSpike Looking at the formula
15:43 murrdoc all states run on minions
15:44 VSpike Does it use salt-ssh?
15:46 iggy it's a normal state, you can use it with any transport (if not, file a bug)
15:48 sdm24 Is anyone else having issues with Salt and the new version of chocolatey? In the chocolatey logs, it says that it needs additional input (to enter 'yes'), and Salt isn't passing that through
15:49 rojem joined #salt
15:49 VSpike I'm thinking about bootstrapping. Can the salt.minion state be used to bootstrap a new machine with no minion? If so, does that require salt-ssh to achieve that? If not, is it just instended to coerce a machine with the minion already installed into exactly the desired state?
15:50 otter768 joined #salt
15:53 rideh joined #salt
15:54 Guest70 joined #salt
15:55 cedwards joined #salt
15:57 berserk joined #salt
15:57 lichtamberg_ left #salt
15:59 iggy it cannot
15:59 iggy B
15:59 iggy it's meant to keep your already installed minion inline with the expected config
16:00 VSpike Ah, right. That makes a lot more sense then!
16:00 bhosmer_ joined #salt
16:01 VSpike So the preferred way to bootstrap salt would be via salt-cloud?
16:02 manfred you can use the saltify salt-cloud driver
16:02 manfred yeah
16:02 VSpike Apart from stupid Windows
16:04 dh joined #salt
16:07 writtenoff joined #salt
16:10 VSpike In http://docs.saltstack.com/en/latest/topics/mine/#mine-functions-aliases, is the line "networkplus.internal_ip_addrs: []" calling the internal_ip_addrs function defined below?
16:11 dalexander joined #salt
16:11 Furao joined #salt
16:12 nliadm left #salt
16:13 murrdoc i need file.managed to compare a file
16:13 murrdoc and error on a difference, but not overwrite
16:14 murrdoc thoughts ?
16:14 iggy test: True
16:14 Guest70 joined #salt
16:14 iggy it won't error, but it will show up as a change (everytime)
16:15 murrdoc i need error on diff
16:15 iggy then you could use the test states to actually throw the error
16:15 iggy with a watch
16:16 bhosmer joined #salt
16:17 Guest15 joined #salt
16:17 ktosiek joined #salt
16:17 spookah joined #salt
16:18 markm joined #salt
16:20 andrewmac[work] joined #salt
16:20 aparsons joined #salt
16:21 circ-user-QATXC joined #salt
16:22 andrewmac[work] Whats the recommended web frontend for a person who's new to salt stack? Halite or SaltPad ?
16:22 SeeDickCode joined #salt
16:22 iggy halite is dead
16:22 edrocks joined #salt
16:22 Rockj joined #salt
16:24 Guest70 joined #salt
16:24 andrewmac[work] right, so SaltPad is the go to then?
16:25 andrewmac[work] theres refernces scattered all over the docs to Halite, so it's a bit confusing.
16:25 iggy feel free to file (a) bug(s), we'd like to get them out of there at some point
16:26 edrocks is there any way to run multiple states? I have update/stop/run states and I'd like to run all 3 in order on several minions
16:27 iggy highstate? orchestrate? your question is a little vague
16:28 edrocks o I think I can pass multiple states to state.sls
16:28 edrocks that should work
16:28 dalexander joined #salt
16:28 iggy state.sls runs a whole sls file... do you have things broken up that much?
16:28 edrocks I have update/stop/run sls files
16:30 iggy right on... yeah, state.sls update,stop,run or orchestrate is probably your best bet
16:34 twisty7867 joined #salt
16:34 tkharju joined #salt
16:34 garphy`aw joined #salt
16:35 twisty7867 Hi, should I expect this https://gist.github.com/twisty7867/c24bcd8742990d12d238 to work with v2014.7.5 and yaml_utf8: True?
16:35 berserk joined #salt
16:35 ckao joined #salt
16:36 jalbretsen joined #salt
16:38 KyleG joined #salt
16:38 KyleG joined #salt
16:38 VSpike Trying out the salt.minion formula, I'm hitting an error https://bpaste.net/show/ca0a5089f58e ... any idea why it's not finding that file? I've forked the repo and included my fork as a gitfs file root
16:41 theologian joined #salt
16:41 murrdoc whats the map.jinja location with respect to your file.root
16:42 berserk joined #salt
16:45 evle1 joined #salt
16:45 andrewmac[work] the saltpad instructions read: "Set your API_URL if your salt-master is not local and generate a secret key if you want to avoid to reconnect each time your restart SaltPad."
16:46 andrewmac[work] I'm currently seeing "Must provide secret_key to use csrf" error on saltpad app while trying to connect.
16:46 andrewmac[work] What is secret key?
16:46 iggy I'm guessing it's a flask setting
16:46 andrewmac[work] yes, definitely.
16:46 andrewmac[work] it's coming from flask
16:47 VSpike murrdoc: I've added this https://bpaste.net/show/a0ae72de37aa ... my fork is at https://github.com/fastmarkets/salt-formula (exactly the same as the main repo) ... path within the repo is salt/map.jinja
16:47 iggy but the saltpad issue tracker might be a better place to ask questions about saltpad
16:47 andrewmac[work] do most salt stack users not use a web interface at all or something?
16:47 iggy nope
16:48 ek6 err...that would be correct..most do not use a web interface
16:48 iggy VSpike: that won't work (for any formulas)
16:48 VSpike Is it likely an issue that I've set a mountpoint for the formulas? Does the code assume it will be at root?
16:48 iggy VSpike: formulas should not be at a mountpoint
16:48 VSpike iggy: I was worried about namespace clashes
16:49 iggy we use like 15 formulas here at work and haven't run into anything yet
16:50 iggy oh, you mean clashing with your own stuff... yeah, that can happen
16:50 iggy just have to be careful
16:50 VSpike Well.. it's fairly unlikely, that's true :) Just didn't see anything to say it wouldn't work like that, and it worked for the first formula I tried
16:50 berserk joined #salt
16:51 andrewmac[work] Maybe salt stack isn't the right solution to my problem. We manage a large number of windows machines, maintaining updates and installed software, as well as a number of *nix servers. We currently pay for LabTech to manage the windows machines and aren't happy with it. Being python programmers we figured salt stack might be a good open source repla
16:51 andrewmac[work] cement. Am I far off on this?
16:52 iggy the newrelic-formula doesn't have a map.jinja (which probably means it's really simple or it will only work on 1 distro)
16:52 UtahDave andrewmac[work]: saltstack is awesome for managing windows servers.
16:53 iggy andrewmac[work]: that's really not enough information to give an informed suggestion... but generally speaking, salt isn't the best tool for every job
16:53 iggy it is the best tool for a lot of jobs
16:53 VSpike UtahDave: it's improving :)
16:53 iggy it all really depends what you're doing
16:53 andrewmac[work] if you had 100 windows PCs and you wanted to keep them all in sync in terms of windows updates, maintained an approved/denied list of updates.. would salt stack be a viable chocie?
16:53 VSpike Isn't that what WSUS does?
16:54 andrewmac[work] I'm just trying to give a simple contained example since my vague example was not good enough
16:54 scbunn andrewmac[work]: WSUS/SCCM is all you need is to manage updates.
16:54 * andrewmac[work] bashes his head against the wall
16:55 VSpike andrewmac[work]: for most jobs like that, you end up using salt as a remote execution tool for powershell/batch
16:55 VSpike So it depends how comfortable you are with powershell/batch
16:55 jonatas_oliveira joined #salt
16:55 andrewmac[work] pretty comfortable with it, also very comfortable with python. we figured we could end up writing code for the specific tasks we need done on the windows pcs
16:56 VSpike Also you'll probably  find edge cases since Windows use seems relatively rare so far in the salt user base.
16:56 solidsnack joined #salt
16:56 VSpike Helps of course if you're happy to dive into source when things dont work as expected
16:56 UtahDave andrewmac[work]: We've got a lot of customers using Salt on thousands of windows machines.
16:56 andrewmac[work] UtahDave: that's all I wanted to hear :D
16:57 UtahDave andrewmac[work]: writing your own execution modules in python and using salt to execute them is awesome. I do it all the time.
16:57 andrewmac[work] I was getting the impression no one used it on windows
16:57 VSpike andrewmac[work]: UtahDave should know :) but not many of them come to IRC
16:57 UtahDave and/or powershell
16:57 UtahDave Yeah, they tend to not be the IRC types.  But we do have lots of Windows users and the number is growing all the time.
16:57 VSpike good to hear :)
16:58 andrewmac[work] alright, I'll keep truckin' and see what I can come up with
16:58 iggy what do you want the web gui for?
16:58 andrewmac[work] because we have employees who are not shell savy and need to check the status of the all the minions to ensure they're online
16:59 andrewmac[work] from a windows PC
16:59 iggy (fwiw, SSE has one coming out soon that looks pretty swanky)
16:59 tmclaugh[work] joined #salt
16:59 iggy someone from salt could probably give you more info about that
16:59 denys joined #salt
17:00 andrewmac[work] I can expand the web interface to add anything our admins would need. I just wanted to be sure I'm not picking up a broken piece of software :P
17:00 rideh joined #salt
17:01 UtahDave andrewmac[work]: halite isn't really being worked on any more, but It would probably show you what minions are up.   Our enterprise GUI should be released soon, too. (like this week or next)
17:01 andrewmac[work] UtahDave: is that open source?
17:01 andrewmac[work] (your web solution)
17:01 UtahDave andrewmac[work]: Salt comes with an api, so you could also have an existing internal web app query Salt for the status of the minions, too
17:02 giantlock joined #salt
17:02 murrdoc UtahDave:  enterprise gui is the only way to get salt-db ?
17:02 andrewmac[work] yeah, I'm starting to think in the end I'll be building the majority of the web interface, though having a starting point would be nice
17:02 VSpike can i assume that settings in /etc/salt/minion.d/ override those in /etc/salt/minion ?
17:03 Morbus joined #salt
17:03 iggy VSpike: I'm not sure I'd rely on that (but it will override defaults)
17:04 VSpike My /etc/salt/minion already has mine_interval: 60 in it
17:04 julienlavergne joined #salt
17:04 VSpike That's a default config file AFAIK. Created either by the ubuntu package, or by salt-cloud's bootstrap
17:05 VSpike Not sure which
17:05 iggy is it actually uncommented?
17:05 VSpike yep
17:05 iggy that's stupid
17:07 MorbusIff joined #salt
17:08 andrewmac[work] so, to enable salt-api I would just add the following to the bottom of /etc/salt/master ? http://hastebin.com/puwijowiqe
17:09 iggy andrewmac[work]: and start the salt-api service
17:09 andrewmac[work] which would be salt-api -d
17:09 andrewmac[work] ?
17:09 Morbus joined #salt
17:09 iggy *shrug* my distro has an init script for it
17:09 iggy but that looks right
17:10 hal58th joined #salt
17:11 MorbusIffElse joined #salt
17:12 andrewmac[work] I can connect to saltpad (which is running on the same server as saltmaster) but when I try to login it spits out "Could not connect to salt-api at URL 'http://localhost:8000/login'"
17:12 andrewmac[work] hmm
17:13 adelcast joined #salt
17:13 iggy and netstat shows python listening on 127.0.0.1 8000 ?
17:13 MorbusIff joined #salt
17:13 kunersdorf joined #salt
17:14 andrewmac[work] good point. no, it doesn't.
17:14 signull joined #salt
17:14 iggy salt-api logs to the master log file
17:15 dendazen if inside state i have 2 files: init.sls and config.sls and in top.sls i provide that state for some server node group: -services.graphite I see that init.sls part gets run but config.sls doesn’t get run, should i place ‘include’ stanza in init.sls for that config.sls?
17:15 iggy check to see if it's giving any useful error messages
17:15 iggy (and make sure you have the dependencies from the docs installed)
17:15 iggy dendazen: if you always want config run with init, then yes
17:16 andrewmac[work] yep, lots of useful errors haha. I'm on it, will report back soon.
17:16 dendazen Yeah, that’s the plan, what if i want separately i should explicitly point to it like services.graphite.config?
17:19 JDiPierro joined #salt
17:20 ajw0100 joined #salt
17:22 iggy dendazen: yep
17:23 dendazen Thank you iggy. Also had a question i just hired junior guy and since i ma going through salt try and error learning, is there a better way to learn salt, courses or sessions for him? We do not mind paying.
17:23 Morbus joined #salt
17:23 iggy SSE has some remote classes
17:24 hal58th dendazen, i think they offer online training
17:24 dendazen In my case i just have a lot of stuff to take care, so i never have time for something like this, but I am pretty sure that hands-on training could be invaluable for him.
17:24 iggy and they do a 2 hour (or so) intro to Salt webinar frequently
17:24 dendazen what is SSE?
17:24 iggy SaltStack Enterprise
17:24 dendazen Thank you.
17:25 bhosmer_ joined #salt
17:25 perfectsine joined #salt
17:25 iggy I'm sure you can find someone to contact through saltstack.com, but if not, let me know, I've got a few people's info there
17:26 dendazen Thank you.
17:33 bhosmer__ joined #salt
17:33 blacked joined #salt
17:33 UtahDave I have to head to a meeting, but you can email at dave@saltstack.com, dendazen
17:33 dendazen Thank you I will.
17:34 Morbus joined #salt
17:36 hal58th_ joined #salt
17:37 lietu- joined #salt
17:37 andrewmac[work] okay, so the rest_cherrypy bit in the salt config spits out "Error loading CherryPy: No module named cherrypy" but I've tried pip install cherrypy and pkg install www/py-cherrypy and both succeeded.
17:37 mapu joined #salt
17:37 andrewmac[work] (I'm on FreeBSD 10 btw)
17:37 overyander joined #salt
17:37 rojem_ joined #salt
17:37 keimlink_ joined #salt
17:38 Guest70 joined #salt
17:38 illern_ joined #salt
17:38 dh__ joined #salt
17:39 Berty__ joined #salt
17:39 bhosmer_ joined #salt
17:40 stanchan joined #salt
17:40 andrewmac[work] if I fire up python2.7 and import cherrypy it works
17:40 andrewmac[work] so wtf is rest_cherrypy complaining about .. hmm
17:40 seev_ joined #salt
17:40 signull_ joined #salt
17:41 anotherZero joined #salt
17:41 o5k_ joined #salt
17:41 bdf_ joined #salt
17:41 EvaSDK_ joined #salt
17:41 EvaSDK_ joined #salt
17:41 sk_0_ joined #salt
17:41 penguinp1wernz joined #salt
17:42 honestly_ joined #salt
17:42 LtLefse_ joined #salt
17:42 dayid_ joined #salt
17:42 MorbusIff joined #salt
17:42 CryptoMe1 joined #salt
17:42 Ahrotahn1ee joined #salt
17:42 ventris_ joined #salt
17:42 hernan605 joined #salt
17:42 jeblair_ joined #salt
17:42 aqua^lsn_ joined #salt
17:43 pannon joined #salt
17:44 solidsnack joined #salt
17:44 tmclaugh[work] joined #salt
17:45 iggy salt is using the same version of python?
17:45 phpdave11_ joined #salt
17:45 dstokes joined #salt
17:45 alynpost_ joined #salt
17:45 carmony_ joined #salt
17:45 ajw0100 joined #salt
17:45 Diaoul_ joined #salt
17:45 andrewmac[work] how would one check that? as far as I know I only have 2.7 installed
17:45 emid_ joined #salt
17:45 sjohnsen joined #salt
17:46 FineTralfazz_ joined #salt
17:46 hellerbarde_ joined #salt
17:46 keekz_ joined #salt
17:46 phx- joined #salt
17:46 Guest62174 joined #salt
17:46 lahwran_ joined #salt
17:46 NightMonkey_ joined #salt
17:46 spootly joined #salt
17:47 alexhayes joined #salt
17:47 Yoda-BZH joined #salt
17:47 Yoda-BZH joined #salt
17:47 rojem joined #salt
17:47 Morbus joined #salt
17:48 davisj joined #salt
17:48 bash124512 joined #salt
17:49 mikeywaites1 joined #salt
17:49 edrocks joined #salt
17:49 ktosiek joined #salt
17:49 aquassaut joined #salt
17:49 peters-tx joined #salt
17:49 teogop_ joined #salt
17:49 rocket joined #salt
17:49 gwmngilfen joined #salt
17:49 evilrob joined #salt
17:49 numkem joined #salt
17:49 _ether_ joined #salt
17:49 mens joined #salt
17:49 wolfpackmars2 joined #salt
17:49 ksalman joined #salt
17:49 hax404 joined #salt
17:49 samnmax joined #salt
17:49 jvblasco joined #salt
17:49 morsik joined #salt
17:49 Xiol joined #salt
17:49 philipsd6_ joined #salt
17:49 admgre joined #salt
17:49 pmcg joined #salt
17:49 jesusaurus joined #salt
17:49 stevednd joined #salt
17:49 Cidan joined #salt
17:49 N-Mi__ joined #salt
17:49 eliasp joined #salt
17:49 robsavino joined #salt
17:49 kalessin joined #salt
17:49 iggy salt-call --versions
17:50 iggy but yeah, if you only have 1 version, then that's probably not it
17:50 ndrei joined #salt
17:50 marcinkuzminski joined #salt
17:50 hal58th joined #salt
17:51 ajw0100 joined #salt
17:51 otter768 joined #salt
17:51 andrewmac[work] yeah, I see the same output string from Python: from that command as I do when I just run python2.7
17:51 rome_390 joined #salt
17:52 amcorreia joined #salt
17:53 Nazca__ joined #salt
17:53 snaggleb joined #salt
17:54 Plastefuchs joined #salt
17:54 armguy joined #salt
17:54 fxhp joined #salt
17:54 iggy out of ideas :/
17:54 kbyrne joined #salt
17:54 andrewmac[work] me too :(
17:54 iggy we personally use saltnado
17:55 krelo joined #salt
17:55 mike25de joined #salt
17:56 ageorgop joined #salt
17:56 jdesilet joined #salt
17:56 jalbretsen joined #salt
17:57 andrewmac[work] I'll give it a shot. I'm not partial to any webserver, I just want the damn thing to work
17:57 andrewmac[work] I've been fighting this battle since 9 AM this morning and its 3 PM
17:58 tmclaugh[work] joined #salt
18:00 solidsnack joined #salt
18:05 c10 joined #salt
18:05 linjan joined #salt
18:06 ec3 joined #salt
18:06 druonysus joined #salt
18:06 druonysus joined #salt
18:07 iggy it took me a while the first time (2 days iirc)
18:10 ec3 Hi all. I'd like to deply github.com/saltstack-formulas/vim-formula.git
18:10 ec3 so I added it to my /etc/salt/master file in the appropriate place
18:10 ec3 now what?
18:11 ec3 I'd like to have it installed on all my minions
18:11 ec3 should I use a pillar?
18:12 ec3 "formulas are the future" I am led to believe
18:13 druonysuse joined #salt
18:14 ec3 does a salt master automatically git clone the formula for me?
18:16 catpig joined #salt
18:16 bhosmer__ joined #salt
18:17 zekoZeko ec3: in your top.sls (salt, not pillar) add - vim
18:17 zekoZeko ec3: to the minions you want.
18:17 zekoZeko ec3: if there's any config needed, it will be in the pillar
18:17 cheus joined #salt
18:17 zekoZeko ec3: you create a new .sls in pillar that looks like example.pillar in the formula and include that for your minion in pillar top.sls.
18:18 ajw0100 joined #salt
18:18 zekoZeko ec3: i haven't looked at the vim formula, but that's how you do it in general.
18:18 ec3 thanks zekoZeko
18:18 zekoZeko np
18:19 ec3 http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html
18:19 ec3 is confusing for me.
18:19 KyleG joined #salt
18:19 KyleG joined #salt
18:19 ec3 I guess I'll manually clone the formula
18:19 andrewmac[work] Oh, I think I'm just an idiot. Salt master doesn't clear the log file on restart? I think I was just looking at the same error as I got before, not a new one (regarding the rest_cherrypy)
18:21 zekoZeko ec3: you can do that too, besides that if you want to extend the formula you'll have to clone it to the master or use gitfs on your own clone.
18:21 zekoZeko ec3: cloning it is a good thing anyway, you never know when the formula on github might change and screw you over...
18:21 whytewolf it is better to clone a formula anyway. so you are not trapped by their releases.
18:21 ec3 how to use gitfs is really what I'm wondering
18:22 zekoZeko ec3: you add it to /etc/salt/master, restart master and you can use it.
18:22 bhosmer_ joined #salt
18:22 ec3 use it how?
18:22 zekoZeko ec3: master clones it, but you never see the files anywhere, it does not create a working dir, just a git repo
18:22 zekoZeko ec3: i tolk you how, just add it to salt top.sls where you want to use it.
18:22 zekoZeko tolk=told
18:23 ec3 ok, so I just configure it after the restart
18:23 zekoZeko ec3: step 1: add to /etc/salt/master
18:23 ec3 (configure the formula in an sls file
18:23 zekoZeko ec3: step 2: restart master
18:23 ec3 check
18:23 ec3 check
18:24 andrewmac[work] boo ya! finally got saltpad to work
18:24 zekoZeko ec3: step 3: /srv/salt/top.sls: 'minionid': \n- formulaname
18:24 zekoZeko ec3: step 4: highstate
18:24 ec3 then what, mkdir /srv/formulas/vimformula ?
18:24 zekoZeko no
18:24 zekoZeko nothing
18:25 ec3 ok
18:25 ec3 just top.sls
18:25 zekoZeko after step 2, master clones the repo
18:25 zekoZeko you don't see files
18:25 zekoZeko they're in some cache somewhere, don't know the location
18:25 ec3 how can I be sure it's cloned the repo?
18:25 ec3 ok.
18:25 zekoZeko because it will install stuff on minionid
18:25 zekoZeko or check the logs
18:25 zekoZeko dunno
18:25 zekoZeko just works for me
18:25 wt joined #salt
18:28 zekoZeko ec3: oh yeah, you'll know it works because on hightstate it won't barf that there's no state "formulaname"
18:29 zekoZeko unless you also have formulaname.sls or formulaname/init.sls in your /srv/salt :)
18:29 zekoZeko but then you have bigger problems i guess.
18:30 kurt_ joined #salt
18:31 ec3 heh.I just ran salt '*' state.highstate and there was no output
18:31 sdm24 Does anyone know of an easy-ish way to upgrade a Windows salt minion, while keeping my old minion.conf files and some states saved on the minion in C:\salt?
18:31 ec3 so I guess it worked. heh.
18:32 kurt_ is there a way to load pillar data from postgres? i see the mysql ext_pillar option, but dont see a similar option for postgres.
18:32 kurt_ contribution guidelines say to ask here before opening feature request / working on a PR. :)
18:41 iggy kurt_: not yet ;)
18:41 zekoZeko ec3: you should have had output... is your formula the only state that is running?
18:41 zekoZeko ec3: maybe it just took too long, or the formula does nothing without configuration...
18:42 zekoZeko ec3: you should check the job output anyway
18:42 kurt_ @iggy thanks. i came across https://groups.google.com/forum/#!topic/salt-users/2pAl2FRQHrE . it seems like short of creating a PR, the method of writing python directly in a pillar file could achieve something similar
18:43 c10 joined #salt
18:44 stoogenmeyer_ joined #salt
18:46 teepark left #salt
18:46 res0nat0r joined #salt
18:46 evle2 joined #salt
18:47 kuromagi joined #salt
18:47 iggy it would be nice if there was an official postgres ext_pillar
18:50 speedlight joined #salt
18:50 dh joined #salt
18:50 Guest12455 joined #salt
18:53 kurt_ i definitely agree.
18:54 Edgan joined #salt
18:59 andrewmac[work] hmm.. when I run: salt '*' test.ping it takes upwards of 7 seconds for the first PC to respond. They're both on the same local network.. why 7 seconds?
19:02 zekoZeko is there a way to "fill" a file from two pillar variables? I have my SSL certificate (key/cert/intermediate) in pillar and creating files from that with content_pillar, but have to create a template for the file that contains both my cert and the intermediate one.
19:03 slav0nic joined #salt
19:03 slav0nic joined #salt
19:04 perfectsine_ joined #salt
19:05 hybridpollo joined #salt
19:05 racooper joined #salt
19:06 vexati0n HEY #salt. I upgraded a master and a syndic-master to 2014.7.5, and now I can't get any data back from minions connected to the syndic master. anything connected directly to the top level master responds fine, and everything connected to the syndic responds to the syndic just fine, but the syndic isn't relaying responses from its minions back to the top master.
19:06 vexati0n i watch the debug log and commands from the top master are being published and replies are being received, but none of those replies are being given back to the top master
19:07 solidsnack joined #salt
19:07 c10 joined #salt
19:08 Hell_Fire joined #salt
19:09 blacked joined #salt
19:09 giantlock joined #salt
19:10 yaryarrr zekoZeko: could you use the file.append or prepend? http://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html#salt.states.file.append
19:10 zekoZeko let me check...
19:11 zekoZeko that would be two states then... still better than a useless template i guess.
19:13 zekoZeko i'll try right now.
19:13 Hell_Fire_ joined #salt
19:14 mikeywaites joined #salt
19:16 hal58th_ joined #salt
19:17 zekoZeko it would be great if file.append could take a local file as source, not only various remotes...
19:18 ndrei joined #salt
19:21 bVector hey guys, I have a {{ salt['pillar.get']('bind:config:recursion', 'no') }} in a template file, and the following pillar http://pastebin.com/5gzfDpxT
19:21 bVector and I just figured out what its not working
19:21 dendazen I get this error with my jinja template
19:21 dendazen http://pastebin.com/5JN9gnk0
19:21 bVector as I was typing that
19:21 dendazen can someone take a look?
19:21 bVector changing line 4 in the pillar to     - recurstion: 'yes'
19:21 bVector fixed the issue
19:21 dendazen please
19:22 bhosmer joined #salt
19:24 bVector looking
19:25 bVector it looks like it doesnt like dashes in variable names
19:26 MTecknology I think I need some help cleaning up the logic here. It's kinda really old. (http://dpaste.com/0P4Y5GJ) The issue comes in becase I want to add snmpv3 users, but to do that you need to kill the service, edit a file, and then start the service again. What I have now works, but it feels clunky and the snmpd-off and snmpd-on states ALWAYS run.
19:26 blacked joined #salt
19:26 bVector dendazen: look at a similar issue here with ansible https://github.com/ansible/ansible/issues/3907
19:27 dendazen oh
19:27 zekoZeko dendazen: try set 'syslog-ng' = ...
19:27 Hell_Fire_ joined #salt
19:27 bVector ah yes, quoting it
19:28 iggy vexati0n: open an issue
19:29 iggy (search for an open one first)
19:30 BuGless left #salt
19:30 dendazen let me try
19:30 cztanu1 joined #salt
19:30 smcquay joined #salt
19:32 thayne joined #salt
19:32 harkx joined #salt
19:32 perfectsine joined #salt
19:32 Ouzo_12 joined #salt
19:32 xMopxShell joined #salt
19:33 LtLefse_ joined #salt
19:33 vincent_1dk joined #salt
19:33 aparsons joined #salt
19:33 paha joined #salt
19:33 Corey_ joined #salt
19:33 Corey_ joined #salt
19:33 k00mi joined #salt
19:33 vimalloc joined #salt
19:33 Guest15 joined #salt
19:34 asaladin joined #salt
19:34 bVector joined #salt
19:35 dendazen now i get   this: http://pastebin.com/ABDecqJp
19:36 zekoZeko i was wrong then.
19:36 jdesilet joined #salt
19:36 zekoZeko don't know how you can escape that - then, i presume that is the issue.
19:40 dendazen yeah it seems like.
19:42 murrdoc joined #salt
19:43 dendazen yeah i just think it is a python thing
19:43 zekoZeko i had a bunch of problems with quoting
19:43 dendazen the same where python doesn’t support variable names with hyphen in them
19:44 zekoZeko when i did my asterisk extensions (they're numeric) I didn't quote them and  it worked
19:44 spookah joined #salt
19:44 dendazen since it is subtraction operator
19:44 zekoZeko when i added another that's not numeric i had to quote it and it wouldn't sort before the unquoted ones :)
19:44 zekoZeko in pillar
19:44 zekoZeko dendazen: are you writing a syslog-ng formula on your own? I thought there was one already...
19:45 dendazen there was one but it used mako template, i created jinja template
19:45 zekoZeko i see
19:47 dendazen I will modify that variable and see what’s up
19:48 iggy dendazen: don't put quotes around syslog-ng
19:48 dendazen but it fails anyway if i do or if don’t.
19:48 iggy fails the same way?
19:48 dendazen no diiferent way
19:49 iggy quit using pastebin
19:49 dendazen what do you use?
19:49 iggy I can't even look at your pastes because they are under heavy load (i.e. 5 viewers)
19:49 iggy the /topic mentions gist.github.com
19:49 ageorgop joined #salt
19:50 dendazen Ok.
19:50 andrewmac[work] is this the proper way to add parameters to a command line call: salt '*' cmd.run "whoami" user="TestUser" ?
19:51 dendazen https://gist.github.com/anonymous/a910228a8bd5f21f6527
19:51 iggy andrewmac[work]: yes*
19:52 otter768 joined #salt
19:52 iggy dendazen: set syslogng
19:52 iggy or syslog_ng
19:52 iggy or anything other than a math operator
19:53 dendazen yeah, i figured.
19:53 dendazen Thanks.
19:55 Hell_Fire joined #salt
19:58 andrewmac[work] well, thats enough for me for one day. Thanks for all the help folks
19:59 iggy good luck tomorrow
19:59 pannon left #salt
20:01 bhosmer_ joined #salt
20:05 Guest70 joined #salt
20:05 murrdoc but postgres stinks
20:05 * iggy smacks murrdoc
20:05 ajw0100 joined #salt
20:05 vexati0n so... what is RAET and do i need it?
20:06 iggy no
20:07 perfectsine joined #salt
20:07 vexati0n would it potentially help with high-latency deployments? apparently our saltstack implementation is "weird" and "not at all what salt was designed for"
20:08 iggy define high-latency
20:08 vexati0n minions are on the other end of the internet
20:09 vexati0n with various firewalls and whatnot trying to impede our empire of robot agents
20:09 iggy yeah, sounds bad
20:09 iggy and I doubt raet would help
20:10 vexati0n well, it's actually pretty neat.
20:10 vexati0n so there.
20:10 cberndt joined #salt
20:11 murrdoc should have called it reat
20:11 murrdoc neat reat ftw
20:11 vexati0n actually the only problems we have are with minions that stop responding for no intelligible reason at all.
20:12 iggy raet might help
20:12 iggy 2015.2 might help more
20:12 iggy (and switching to 2015.2 is easier than switching to raet)
20:12 vexati0n well, it isn't easy to switch to either one since the vast majority of minions are sort of forcibly held at CentOS 5.
20:13 vexati0n it was hard enough to get up to 2014.7
20:15 perfectsine_ joined #salt
20:15 danblee joined #salt
20:17 danblee Hi there. I had a question regarding keys. I'm doing automated deploys with salt-minion already installed. This means each minion isn't getting a unique key. Is this going to be a problem?
20:17 vexati0n yes that'll be a problem. but you can just delete the key.
20:17 bhosmer joined #salt
20:17 ec3 I'm a little unclear as to whether I should have a /srv/salt/top.sls AND a /srv/pillar/top.sls
20:18 whytewolf yes ec3, you should. one is for pillars the other is for states.
20:18 danblee Thanks vexati0n. If I delete that key will salt generate a brand new key for each new minion?
20:18 ec3 thanks
20:19 vexati0n danblee: yes, if the key is missing the minion will just generate a new one. but you should also make sure the minion id's are unique.
20:19 blacked joined #salt
20:20 vexati0n what we do is -- 1) install minion; 2) delete everything in /etc/salt; 3) generate a new /etc/salt/minion file by automated script; 4) restart minion; 5) accept the key/id on the master.
20:20 fyb3r joined #salt
20:20 bhosmer_ joined #salt
20:20 vexati0n there are probably more graceful ways to do it, but we like to be technological barbarians.
20:22 adelcast left #salt
20:24 solidsnack joined #salt
20:24 seth__ joined #salt
20:24 bhosmer joined #salt
20:25 catpig joined #salt
20:25 iggy lol, technological barbarians
20:25 seth__ Is there any way to to limit an overstate run to a subset of the matching targets for each task/function?
20:25 danblee hmm, I notice if I remove the id that's in /etc/salt/minion_id and restart services it will automagically generate a new one by hostname.
20:26 seth__ Imagine I target all of my nodes by role in my overstate -- I would like to be able to run the entire overstate for all of those roles against just one datacenter (for example)
20:26 seth__ Happy to file an issue and look into making this happen if there isn't a way to do it
20:26 iggy danblee: correct
20:27 ec3 so if I have all my desired packages listed in /srv/pillars/top.sls I use the /srv/salt/top.sls to declare what services I want running?
20:27 adelcast joined #salt
20:27 adrianhannah left #salt
20:27 iggy that's one way to do it
20:28 iggy "Whatever works best for you"
20:28 ec3 yeah.
20:28 whytewolf " what ever hurts the least"
20:28 ec3 I want to be as modular as possible with my salt
20:29 danblee Thanks all!
20:29 iggy seth__: A. probably shouldn't be using overstate B. No
20:31 seth__ Got it. As in, "should never be using overstate for anything," or "should not be using overstate for this case"?
20:31 iggy "should not be using overstate for anything new"
20:31 seth__ Sorry -- s/overstate/orchestrate/g
20:32 keimlink joined #salt
20:32 iggy ok, good... still, no
20:33 seth__ Think it would be useful? I'm happy to look into implementing it
20:33 iggy me personally, no
20:33 iggy I can't speak for others
20:34 ndrei joined #salt
20:34 seth__ How would you accomplish the example I gave? Is there another way to spin this if you have redundant systems?
20:35 iggy batch size?
20:35 c10 joined #salt
20:35 iggy there are a few tickets open about doing rolling restarts, so you might be able to piggy back off those
20:35 seth__ Say I want to roll to one datacenter and wait a few days before rolling to the next
20:36 iggy my orchestrate files are pretty simple, I'd just duplicate them and narrow down the targeted minions (personally)
20:36 iggy but a more general approach to the problem could be desireable to others
20:38 seth__ I don't buy it, not very DRY.I'm going to put file a ticket
20:38 c10 joined #salt
20:39 iggy barring that, I imagine I could rig up something by passing env and/or pillar to orchestrate
20:39 snarfy joined #salt
20:42 seth__ What do you imagine? I have a hard time seeing that without conditionals all over the place.
20:44 badon_ joined #salt
20:44 bhosmer joined #salt
20:46 monkey- joined #salt
20:47 Meertle joined #salt
20:48 Meertle Is there a way to have saltstack to enforce only a certain group of users exists on a system?  I have a list of users that be the only ones to exist, and if I remove one I want them to be removed from the system.
20:48 blacked1 joined #salt
20:50 snarfy Meertle, might try https://github.com/saltstack-formulas/users-formula
20:51 Guest70 joined #salt
20:52 iggy anybody know (off the top of their head) where salt get's it's version info from when installed via git/salt-bootstrap?
20:52 iggy I have an env that has all the same git revision installed, but some minions are showing up as newer and older than the master
20:54 toastedpenguin joined #salt
20:55 Meertle snarfy: This only appears to add users, and remove users by setting them to absent.  I want the system to automatically clean up users that should not be there that are unknown
20:55 baweaver joined #salt
20:56 iggy that sounds like a bad idea
20:56 whytewolf a very bad idea. forget a system account in your list and you have a hosed system
20:56 iggy what happens if a package needs a user, but you don't have it in your config?
20:56 Meertle Well, not system accounts.  User accounts in /home/ that should not be there to be specific
20:57 perfectsine joined #salt
20:57 baweaver joined #salt
20:57 coval3nce joined #salt
20:58 coval3nce anbody use salt-ssh here to install salt on brand new boxes?
21:00 whytewolf iggy: about your problem with salt-bootstrap IIRC it depends on the options handed to it. if no options are supplied it uses the latest stable that is in the repo for that distro. but i could be wrong
21:01 StDiluted joined #salt
21:03 iggy whytewolf: right, I'm specifically telling it to install git, it installs the latest revision on all minions, they all have the same git checkout, but the version shows up as different
21:04 iggy i.e. 2015.2.0rc2-209-g6e18810 2015.2.0rc2-851-g6e18810
21:04 iggy see the -gXXXXXXX, that's the git commit hash that it installed from
21:04 iggy but the 3 number preceding that are different for some reason
21:07 tentimes joined #salt
21:07 tentimes Is it possible to tell if a state is applied to a minion from another state init.sls file?
21:07 whytewolf yeah i have no idea then. the commit levels are the same. not sure what the three numbers in the middle repersent
21:09 iggy tentimes: no... that's kind of against the idea of salt... everystate you apply to a minion (via top targeting) should be able to be applied no matter what
21:11 BretFisher joined #salt
21:11 tentimes iggy: I don't want to prevent a state from being applied, I just want to know if a state is being applied to a node from another state and make a decision based on that
21:12 BretFisher joined #salt
21:13 iggy check for something the other state does (i.e. if it's a package install, check for a file it installs)
21:14 crimeircd joined #salt
21:15 c10 joined #salt
21:17 baweaver joined #salt
21:18 sdm24 Hey sorry I'm in a rush and don't have time to submit a proper issue, at least not immediately, but I updated my windows salt minions to v2014.7.5 and now my Windows network.managed state won't work, with an error "AttributeError: 'module
21:18 sdm24 ' object has noa ttribute 'inet_pton'
21:19 sdm24 can someone please confirm this? I might have upgraded my minions incorrectly (I used the winrepo with the installer saved on my master)
21:19 sdm24 sorry i have to go now
21:20 Guest70 joined #salt
21:21 Ahlee sdm24: restart wmi
21:22 Ahlee although you're gone now so you won't see that
21:22 solidsnack joined #salt
21:24 sdm24 joined #salt
21:24 Guest70 joined #salt
21:24 sdm24 Ahlee: Thanks for the help. I was able to miss the beginning of the meeting to try and fix this
21:29 rm_jorge joined #salt
21:30 tmclaugh[work] joined #salt
21:34 tmclaugh[work] joined #salt
21:35 ageorgop joined #salt
21:45 itru joined #salt
21:45 Heartsbane so I did a "salt -v <host> pip.install docker-py" on my docker host but I can't seem to interface with Docker?
21:45 Heartsbane first time doing this so why can't I pull any docker-ng.info ?
21:47 iggy you need to restart the minion after that
21:47 Heartsbane yes
21:47 iggy (or if you do the install with a state, use reload_modules: True)
21:48 gladiatr joined #salt
21:51 ajw0100 joined #salt
21:51 StDiluted joined #salt
21:52 Heartsbane iggy: I have restarted the salt-minion and it keeps returning     'docker-ng.info' is not available.
21:52 Heartsbane Any ideas
21:52 iggy what version of salt?
21:52 otter768 joined #salt
21:53 murrdoc best version
21:53 murrdoc salt —version == north korea
21:53 Heartsbane salt-minion 2014.7.1 (Helium)
21:53 iggy it's only in devel
21:53 Heartsbane I guess I need Berylium?
21:53 iggy that's devel
21:53 iggy i.e. not even close to being released
21:54 Heartsbane basepi: Tell UtahDave ... someone has sum splainin to do
21:55 iggy you might be able to grab the module/state and put them in _modules/_states
21:55 enarciso joined #salt
21:55 murrdoc uh hmm
21:55 Heartsbane ya that explains it
21:56 Heartsbane thanks
21:57 iggy not even in 2015.2 (just checked)
21:57 Heartsbane thanks
21:58 hhtpcd joined #salt
21:58 basepi Hehe, I have forwarded your veiled threat. ;)
21:58 hhtpcd left #salt
21:58 murrdoc it will was always 2015.5
21:58 murrdoc 5 is 2 for backwards compatibilty
21:59 rojem joined #salt
22:03 prwilson_ joined #salt
22:03 giantlock joined #salt
22:04 fyb3r left #salt
22:10 Guest70 joined #salt
22:11 nzero joined #salt
22:11 subsignal joined #salt
22:12 nzero joined #salt
22:12 blacked joined #salt
22:13 nzero joined #salt
22:17 markm joined #salt
22:17 Heartsbane basepi: thanks
22:17 basepi hehe, yep
22:17 blacked1 joined #salt
22:18 bhosmer joined #salt
22:19 carmony joined #salt
22:21 solidsnack joined #salt
22:21 * Heartsbane blames peno.
22:23 crimeircd left #salt
22:24 solidsnack joined #salt
22:26 MaliutaLap joined #salt
22:28 Ryan_Lane what's our policy on including MIT licensed code in modules?
22:28 Ryan_Lane I need to copy some boto code into a module
22:29 mpanetta joined #salt
22:29 vexati0n just rewrite it slightly differently and pretend it's new work, and license it under GPLv2
22:29 vexati0n or is that unethical
22:30 Ryan_Lane salt is apache2 licensed. they're compatible
22:30 Ryan_Lane I just don't know the right way to do the inclusion
22:31 murrdoc v<shift+g>u
22:31 murrdoc new code
22:31 rojem joined #salt
22:32 iggy "Portions of this file licensed under MIT"
22:33 iggy consult a lawyer
22:33 pelzi__ you just need to preserve the license comment and original copyright. that's all there is to it.
22:40 [7hunderbird] joined #salt
22:41 Ryan_Lane nevermind. I just made a PR for boto.
22:41 Ryan_Lane easier to make the function I want public and just check for the function definition in the module to see if the public or private one is available
22:42 tmclaugh[work] joined #salt
22:42 echo joined #salt
22:44 helderco joined #salt
22:46 murrdoc joined #salt
22:47 vimalloc Would someone mind taking a look at this and telling me what I'm overlooking? I'm trying to get a service to restart if a file changes: https://gist.github.com/anonymous/11db46bad12fb3cf7c0b
22:48 vimalloc The init script works, but then I change the file under the watch condition it doesn't get automatically restarted
22:49 iggy vimalloc: what's changing?
22:50 vimalloc I make an arbatry change to salt://kvm/files/kvm-customer-daemon.py
22:50 vimalloc Change gets pushed, but no service restarting goodness
22:51 ageorgop i was able to do something like this with my grub file
22:51 iggy looks okay to me (try taking it out of require, watch implies that)
22:51 ageorgop http://pastebin.com/YFsnNtsp
22:52 iggy and use service.running (instead of service\n - running)
22:54 vimalloc iggy: Hrm. Applied those changes, still no luck.
22:55 vimalloc In the output I see Function: service.running, result: True, comment: Service kvm-customer-daemon is already enabled, and is running
22:55 vimalloc but nothing about restartint it
22:55 iggy and the other one is definitely showing changes? can you paste the entire output?
22:55 vimalloc yeah, 1 sec
22:58 vimalloc https://gist.github.com/anonymous/68a50cb72ed17effafa7
22:58 jonatas_oliveira joined #salt
22:59 baweaver joined #salt
23:02 SeeDickCode joined #salt
23:04 vimalloc Could it be trying to call reload instead of restart on the init script, or something like that?
23:05 vimalloc hrm, didn't realize it was 5 already. I'll come back to this tomorrow. Thanks for the help iggy
23:06 JDiPierro joined #salt
23:06 jeddi joined #salt
23:07 vexati0n so judging by the fact that there have been zero replies to my Issue on github, I must just be doing something wrong with Syndic
23:07 iggy I don't think a lot of people use syndic tbh
23:08 vexati0n yeah... i'd rather not but we have to with our setup
23:08 florinandrei joined #salt
23:08 iggy and all the actual devs are probably super busy trying to get 2015.2 out the door before they hit the 3-month-late mark
23:09 vexati0n i don't understand software development. if devs would just make the product perfect and complete the first time, they wouldn't need to have revisions.
23:09 iggy ikr
23:09 iggy oh wait, I work for a software company, then I'd be out of a job
23:09 VR-Jack2 on the other hand, it would never get released. :)
23:09 vexati0n yeah me too :/
23:09 spookah too much scope creep?
23:14 MatthewsFace joined #salt
23:19 AlexStraunoff joined #salt
23:20 SeeDickCode joined #salt
23:21 solidsnack joined #salt
23:22 bfoxwell joined #salt
23:24 linjan joined #salt
23:25 pannon joined #salt
23:26 mosen joined #salt
23:28 cztanu joined #salt
23:28 pannon quick question: is pillar data in git translated into environments the same way as branches for state files?
23:28 pannon this doc seem to suggest separate git repos per environment http://docs.saltstack.com/en/latest/ref/pillar/all/salt.pillar.git_pillar.html
23:30 iggy pannon: I think you just need to set the branches up... they don't necessarily have to be in a different repo
23:31 pannon iggy: so the same way as state files in git then...
23:32 iggy pannon: I've never actually messed with it, but it looks like it's not automatic (like file_roots gitfs)
23:33 pannon iggy: yes, that's my feeling too
23:33 pannon seems that pillar needs different repo per env
23:33 iggy so you have to set an entry for each branch
23:33 iggy from the docs it looks like you just need a different branch per env
23:33 iggy they just aren't automatically mapped, so you need an entry for it
23:34 pannon ah... OK - that makes sense
23:34 pannon iggy: thanks for your help
23:34 mpanetta joined #salt
23:38 baweaver joined #salt
23:38 Tyrm joined #salt
23:44 MaliutaLap left #salt
23:45 fbettag joined #salt
23:49 fbettag joined #salt
23:49 pannon iggy: seems that pillar git is broken anyway https://github.com/saltstack/salt/issues/23006
23:49 pannon definitely brakes my salt
23:49 MatthewsFace joined #salt
23:51 tmclaugh[work] joined #salt
23:52 * iggy is on 2015.2
23:53 otter768 joined #salt
23:56 * iggy stabs cmd.run

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary